upgrading a GMS application to the GPRS - PPP

This is a discussion on upgrading a GMS application to the GPRS - PPP ; Hi to all, I have a question and some doubt... I have an microcontroller application (A) that actually make data calls via GSM module in order to connect it on a remote PC. The PC modem answer (it is in ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: upgrading a GMS application to the GPRS

  1. upgrading a GMS application to the GPRS

    Hi to all, I have a question and some doubt...

    I have an microcontroller application (A) that actually make data calls
    via GSM module in order to connect it on a remote PC.
    The PC modem answer (it is in autoanswer mode) and then A start a
    PPP/CHAP phase with username and password embedded on A. After this, a
    PPP/TCP/IP flow starts on the point-to-point GSM channel between A and
    PC. Generic data is transmitted, no HTTP data.

    I need to switch from GSM to GPRS technology, taking in account some
    changements on the software of both PC and A that I have to do.

    The question is:

    After that A make a GPRS call by ATD#99#. (or AT+CGDACT..) and
    after the module authenticate it with the APN (user&password if
    required), it is possible to start again the PPP/CHAP phase ambedded on
    application A (in order to allow compatibility)?

    In other word, it is still need?? Or I could cut the code of the PPP
    stack and relative chap user&password on A and on the PC, and after APN
    authentication directly start with TCP/IP flow?

    My doubt was on security issue also...
    On the "old" GSM I have a point-to-point authenticated channel. On GPRS
    how to allow the same level of security?

    Thanks a lot.
    Dario.


  2. Re: upgrading a GMS application to the GPRS

    "dario" writes:
    > I need to switch from GSM to GPRS technology, taking in account some
    > changements on the software of both PC and A that I have to do.


    This doesn't really sound like a PPP question to me.

    > After that A make a GPRS call by ATD#99#. (or AT+CGDACT..) and
    > after the module authenticate it with the APN (user&password if
    > required), it is possible to start again the PPP/CHAP phase ambedded on
    > application A (in order to allow compatibility)?


    Per the PPP standards, sure. But for a given implementation, that
    might not work. In fact, it almost certainly does not work.

    I'm not sure why you're asking this. Why wouldn't you just negotiate
    PPP as you've always done, and just change the dialing sequence for
    the new phone? Why would it require some sort of complex PPP-restart
    and "compatibility" mechanism?

    I don't understand why the solution would look like this.

    > In other word, it is still need?? Or I could cut the code of the PPP
    > stack and relative chap user&password on A and on the PC, and after APN
    > authentication directly start with TCP/IP flow?


    I don't think that question makes sense in the context of PPP.

    PPP doesn't describe anything about how the serial channel itself is
    established. On some media, that might involve "dialing" or
    "chatting" or some other process. On other media (i.e., dedicated
    lines), nothing is needed. PPP describes only what happens after a
    bidirectional channel has been established. The rest is a local
    implementation matter, or an issue for some other standard.

    Once the low-level link is available and PPP starts, it negotiates
    basic link parameters (LCP), optional authentication (PAP, CHAP, EAP),
    and then optional network layers (IP, IPv6, AppleTalk, et cetera).
    This part is controlled by the PPP standards, and, other than
    implementation bugs, has little to do with the underlying connection
    technology. (There are a few related parameters in LCP, but that's
    basically it.)

    The whole point of the Internet standards is layering: you don't have
    to redesign one of the upper layers just because the lower layers have
    changed. IP runs great on PPP, Ethernet, ATM and others. PPP runs
    fine on dedicated lines, analog modems, SONET, and others. This is
    possible because those technologies are designed to be independent.

    > My doubt was on security issue also...
    > On the "old" GSM I have a point-to-point authenticated channel. On GPRS
    > how to allow the same level of security?


    How did you do it before?

    If you merely "trusted" GSM to provide you with adequate security
    (something I almost certainly would not have done; but it's your
    choice), then you need to evaluate whether GPRS provides the same
    level of security according to your needs. This has nothing to do
    with PPP; it's your issue to work out.

    If it were _my_ system and I was concerned about security for this
    application, then I'd work out what the threat model is and find
    solutions to match. That might include (for example) some combination
    of packet filters, IPsec, and application layer mechanisms. But it
    could include lower-level mechanisms, if such things were available.

    Again, not really a PPP issue, and not something for which you'll
    likely get adequate answers in this newsgroup.

    --
    James Carlson, KISS Network
    Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084
    MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677

  3. Re: upgrading a GMS application to the GPRS

    James, thanks for your responses.
    I will try to explain better the problem. I have limited knowledge on
    this protocol.

    The PC is in a corporate intranet and application A has an internal
    TCP/IP stack and is used for telemetry on the field.
    The GSM modem on 'A' call the corporate RAS server and after received
    the 'CONNECT 9600' start with encapsulating TCP/IP packets on the PPP
    frame.

    Until now authentication between the two peer was ensured by enabled
    CHAP username and password.
    Confidentiality was ensured by physical access mode (GSM
    point-to-point) and by calling line identification (CLI).

    Sorry for the question but, if we had not needed of authentication,
    does the PPP would have been really necessary? I ask this because
    actually on another serial application I send a "custom" protocol
    on the GSM channel without need of PPP. After the 'CONNECT 9600' I
    send and receive the packet normally...no PPP is used (in this case I
    think I do not entirely understood as stated by the RFC "PPP provides
    a method for transmitting datagrams over serial point-to-point
    links").

    Now we would want to change technology: GPRS.

    >I'm not sure why you're asking this. Why wouldn't you just negotiate
    >PPP as you've always done, and just change the dialing sequence for
    >the new phone? Why would it require some sort of complex PPP-restart
    >and "compatibility" mechanism?


    The dial-up ATD*99# is done with the GPRS operator, not with my
    company.
    So, by ATD*99# I do not authenticate A at my RAS company, but only,
    connect A at the APN. I still need to authenticate A in my company in
    the old mode, with the USER and PASSWORD embedded in A. I hope it is
    explained why I ask to re-start the PPP/CHAP...after the 'CONNECT' on
    the GPRS net. Obviously I know that by GPRS we will lost
    confidentiality on the "public internet", but this is a problem we
    solve on the next step (I think to use compulsory VPN, but if you could
    give me a suggestion..), now we are in test phase.

    As above, an ancestral doubt.. if we had not needed of authentication,
    why the PPP would have been need if GPRS is not a point-to-point
    connection?

    Hoping in a your reply,
    Dario.


  4. Re: upgrading a GMS application to the GPRS

    "dario" writes:
    > James, thanks for your responses.
    > I will try to explain better the problem. I have limited knowledge on
    > this protocol.


    OK, then, some fundamentals are in order.

    PPP is a means to convert a bidirectional serial connection between
    two machines into a point-to-point network interface. That's
    essentially all that it does. Anything else that you need is up to
    you and the systems that you choose. And if you don't actually need a
    network interface, then you probably don't want PPP.

    > Until now authentication between the two peer was ensured by enabled
    > CHAP username and password.
    > Confidentiality was ensured by physical access mode (GSM
    > point-to-point) and by calling line identification (CLI).


    PPP neither knows nor cares about GSM. This is your issue to work
    out, not something that PPP can dictate. If your evaluation of the
    security of GPRS is such that you consider it to be inferior to GSM (I
    frankly don't know, and such a topic would be wildly off-topic for
    this newsgroup), then you have two choices:

    - don't use GPRS because it doesn't supply the features you need.

    - evaluate mechanisms you can add that give you the additional
    security you need (possibly some combination of PPP authentication
    and/or encryption, and/or network layer mechanisms).

    You must decide on your own whether GPRS solves the problems you have,
    and then make appropriate choices. This isn't something PPP can
    resolve for you.

    > Sorry for the question but, if we had not needed of authentication,
    > does the PPP would have been really necessary? I ask this because


    Sure. PPP provides you with a network interface. I'm assuming you're
    using PPP because you want to have a network interface.

    If you're not using it for that reason, then I don't follow.

    > actually on another serial application I send a "custom" protocol
    > on the GSM channel without need of PPP. After the 'CONNECT 9600' I
    > send and receive the packet normally...no PPP is used (in this case I


    "Packet?" If you don't have PPP, then all you have is a raw,
    byte-oriented interface. There are no "packets."

    An alternative (older, less capable) technology that provides packet
    framing on serial lines is called "SLIP." It might or might not do
    what you're asking.

    There are also non-networking technologies possible here, including
    the sorts of ASCII-based framing often used with credit card
    processing protocols, and some ISO and ITU-T protocols.

    > think I do not entirely understood as stated by the RFC "PPP provides
    > a method for transmitting datagrams over serial point-to-point
    > links").


    It transforms a link that's fundamentally bit (or byte) oriented into
    one that frames packets.

    Equivalently: it turns a serial interface into a network interface.

    > Now we would want to change technology: GPRS.


    Fine. It's just a serial port as far as PPP is concerned. It's not a
    change.

    > >I'm not sure why you're asking this. Why wouldn't you just negotiate
    > >PPP as you've always done, and just change the dialing sequence for
    > >the new phone? Why would it require some sort of complex PPP-restart
    > >and "compatibility" mechanism?

    >
    > The dial-up ATD*99# is done with the GPRS operator, not with my
    > company.
    > So, by ATD*99# I do not authenticate A at my RAS company, but only,
    > connect A at the APN.


    "APN?"

    > I still need to authenticate A in my company in
    > the old mode, with the USER and PASSWORD embedded in A. I hope it is
    > explained why I ask to re-start the PPP/CHAP...after the 'CONNECT' on
    > the GPRS net. Obviously I know that by GPRS we will lost
    > confidentiality on the "public internet", but this is a problem we
    > solve on the next step (I think to use compulsory VPN, but if you could
    > give me a suggestion..), now we are in test phase.


    I am having a hard time deciphering that, but let me make a guess.

    With GSM, you were dialing into a point that you considered "secure"
    (some gateway you controlled) but with GPRS you're dialing into a
    public Internet access site.

    Is that correct? In this case, you're not talking about anything that
    really has much to do with PPP or even GSM or GPRS. It's all about
    the number you're dialing.

    If you need to go over the public Internet, then you need to take that
    into consideration in your security evaluation. Personally, I'd
    *NEVER* have trusted a GSM connection into a gateway that I
    controlled -- it's still possible for the telephone company itself to
    be compromised, and there's no reason to take that risk. But it's
    your system, so you do as you want.

    If going unencrypted over the Internet isn't something you can live
    with, then you'll need to pick a suitable security mechanism. This is
    *FAR* outside the bounds of what PPP does. PPP just gives you a
    network link.

    I'd suggest investigating IPsec, Kerberos, SSH, and SSL/TLS. These
    are basic security mechanisms that work in slightly different ways,
    and that can be used on the Internet.

    Good luck. I don't think there are any PPP questions remaining here.
    If you need to know about security on the Internet, you need another
    newsgroup.

    > As above, an ancestral doubt.. if we had not needed of authentication,
    > why the PPP would have been need if GPRS is not a point-to-point
    > connection?


    PPP works only on point-to-point connections. It's right there in the
    name.

    I'm not sure what you're asking about here.

    --
    James Carlson, KISS Network
    Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084
    MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677

  5. Re: upgrading a GMS application to the GPRS


    dario wrote:
    > Hi to all, I have a question and some doubt...
    >
    > I have an microcontroller application (A) that actually make data calls
    > via GSM module in order to connect it on a remote PC.
    > The PC modem answer (it is in autoanswer mode) and then A start a
    > PPP/CHAP phase with username and password embedded on A. After this, a
    > PPP/TCP/IP flow starts on the point-to-point GSM channel between A and
    > PC. Generic data is transmitted, no HTTP data.
    >
    > I need to switch from GSM to GPRS technology, taking in account some
    > changements on the software of both PC and A that I have to do.
    >
    > The question is:
    >
    > After that A make a GPRS call by ATD#99#. (or AT+CGDACT..) and
    > after the module authenticate it with the APN (user&password if
    > required), it is possible to start again the PPP/CHAP phase ambedded on
    > application A (in order to allow compatibility)?
    >
    > In other word, it is still need?? Or I could cut the code of the PPP
    > stack and relative chap user&password on A and on the PC, and after APN
    > authentication directly start with TCP/IP flow?

    For GPRS connection, the communication between your board and remote
    PC is from network layer and above. All network packets are going
    through your Telco network.
    There is no way for you to authenticate your board to PC through PPP
    layer.
    It is different from the PPP connectivity thru GSM.


    > My doubt was on security issue also...
    > On the "old" GSM I have a point-to-point authenticated channel. On GPRS
    > how to allow the same level of security?


    Any user and password can be used in PPP authentication for GPRS
    connection.
    You embedded board can get GPRS connection with any user and password
    in
    PPP authentication.
    For security issue, you may implement IPSec on embedded board and
    Remote PC.
    You may apply private APN and leased-line to your remote PC
    if u have a lot of boards to connect to GPRS connection.


    Regards
    Goh Choon Lye


+ Reply to Thread